—D. J. Bernstein, Professor, Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
DNS still vulnerable, Bernstein says.
CHICAGO, Thursday 7 August 2008 - Do you bank over the Internet? If so, beware: recent Internet patches don’t stop determined attackers.
Network administrators have been rushing to deploy DNS source-port randomization patches in response to an attack announced by security researcher Dan Kaminsky last month. But the inventor of source-port randomization said today that new security solutions are needed to protect the Internet infrastructure.
“Anyone who knows what he’s doing can easily steal your email and insert fake web pages into your browser, even after you’ve patched,” said cryptographer Daniel J. Bernstein, a professor in the Center for Research and Instruction in Technologies for Electronic Security (RITES) at the University of Illinois at Chicago.
Bernstein’s DJBDNS software introduced source-port randomization in 1999 and is now estimated to have tens of millions of users. Bernstein released the DJBDNS copyright at the end of last year.
Kaminsky said at the Black Hat conference yesterday that 120,000,000 Internet users were now protected by patches using Bernstein’s randomization idea. But Bernstein criticized this idea, saying that it was “at best a speed bump for blind attackers” and “an extremely poor substitute for proper cryptographic protection.”
DNSSEC, a cryptographic version of DNS, has been in development since 1993 but is still not operational. Bernstein said that DNSSEC offers “a surprisingly low level of security” while causing severe problems for DNS reliability and performance.
“We need to stop wasting time on breakable patches,” Bernstein said. He called for development of DNSSEC alternatives that quickly and securely reject every forged DNS packet.